CVE-2022-24713: 
Rust vulnerability analysis and mitigation

CVE-2022-24713 is a high-severity vulnerability discovered in the Rust regex crate that affects versions 1.5.4 and earlier. The vulnerability was disclosed on March 8, 2022, and involves improper complexity limiting of regular expressions during parsing. This vulnerability affects applications that accept untrusted regular expressions for parsing (Rust Blog).

The regex crate contained a bug in its built-in mitigations designed to prevent untrusted regexes from taking an arbitrary amount of time during parsing. The vulnerability specifically relates to empty sub-expressions, which don't use memory in the implementation and thus bypass the pre-existing size limit machinery. This made it possible for attackers to craft regexes that would take an excessive amount of CPU time to compile (GitHub Advisory).

When the regex crate is used to parse untrusted regular expressions, an attacker could perform denial of service attacks by sending specially crafted regexes to services accepting user-controlled, untrusted regexes. The vulnerability does not affect cases where trusted regexes are used to parse untrusted input (Rust Blog).

The vulnerability was fixed in regex version 1.5.5. The fix involves adding a fake amount of memory usage for empty sub-expressions to ensure they trigger the size limit restrictions. It is recommended that all users accepting user-controlled regexes upgrade immediately to the latest version of the regex crate. Blocking known problematic regexes is not recommended as a mitigation strategy due to the infinite variety of possible exploit patterns (GitHub Advisory).